Blog

I just came back onto this site to look at the comments and see that there are a TON, which I didn’t expect. Please note that I have shifted all my blog writing to a dedicated media site called EA Media. The website is http://ea.media .

EA Media will provide my blogs as well as a number of other features:

A Security News Feed

A Technology News Feed

A Job Board pulled from several jobs engines

An alerting service associated with NIST’s National Vulnerability Database.

I will also be adding a Video page as well as dedicate articles soon. Plus, hopefully for July 1, I will start a Magazine that you can download.

As part of EA Media, I have created a Facebook page, a Twitter account, an Instagram account, a YouTube channel, and my blogs will continue to appear in LinkedIn. Please find a method that suites you to see additional information from EA Media.

On May 24th, the US Federal Trace Commission released a report where they wanted to test how long it takes for stolen information to be made use of in the wild. The FTC has an Office of Technology and they are responsible for the security of the FTC infrastructure. This group had a Theft Identity workshop and they released the information that they found to those that attended the workshop.

The process that they took was as interesting as what the results were. They first created 100 fake identities, including specific “personal information” as well as associated credit card information. They then took that information and placed it in a website known to be a clearinghouse to monitor how the information was taken and used.

It only took 1.5 hrs and 9 minutes (depending on the time released) for the information to be made use of.

Within 2 weeks, the information was used 1108 times to use for unauthorized access attempts.

Priorities were to make use of Credit Cards, then Email Accounts, then finally payment accounts.

The IP addresses that tried to make use of the information was primarily from the US, followed by the UK and then Brazil (I suspect that this may be dependent on the location the information was released).

Just under $13000 was charged online to the credit cards within 2 weeks with most purchases being between $1 – $10 in value.

So how do you deal with this? Well, let’s look at this in order of impacting the use of the information.

Pre-Theft

If possible, have the information encrypted or, at a minimum, accessible only through 2 factor information. The FTC study determined that information that was hard to use wasn’t used nearly as much as the information was in plain text.

During Theft

Monitoring is going to be important. The proper implementation of logging and a SIEM will make detection that much more important simply based on how fast information is made use of. So the use of detect information is critical in limiting how bad the theft will be.

Post Theft

You need to understand that once the Genie is out of the Bottle, you won’t put it back in again. The sooner you report to the people whose information has been taken, the better. If you delay, then the information can be used much more frequently.

Most of this is common sense but it’s nice to see some actual data talking about the speed of use of stolen information. The next time someone wants to talk about risks, you now have some information that describes how real risks are.

I was thinking about how security permeates everything and I thought I’d show how much so by taking 3 news stories from this morning and explaining how security is a part of each one of these stories. Now, at first glance, these stories aren’t necessarily easily identifiable but all 3 go to the core values of security of Confidentiality, Integrity, and Availability. So, to that end, let’s take these stories and decompose them.

This is a story from AP that talks about how the Ukraine raided a search engine office from Russia based Yandex. The Ukrainian government said it was in response to the Russian annexation of Crimea.

From a security point of view, let’s look at how this could have been dealt with by a Security Architect. In this case, you are talking about a combination of the Integrity and the Availability of the company’s product/service – their search engine.

Availability can be dealt with by having multiple data centers and not being dependent on any one particular location. The Integrity can be shown by auditing records indicating whether search results are impacted by government mandates or whether their algorithms work without manual interference.

At first blush, this doesn’t look like a security event. Hell, it doesn’t even look like something that will impact UBER (BTW, my condolences to Mr. Kalanick on his loss). But this is a case of where Mr. Kalanick, as the CEO of UBER, will be personally impacted and, as such, will most likely be impacted emotionally and through his performance.

This is a case where there needs to be checks and balances on the decisions that are made to ensure that emotions haven’t negatively impacted decisions. Now, this isn’t a technology based activity but, rather, a process one. But something that should be put into place to ensure the integrity of the decisions are of the highest quality.

British Airways (BA) had cancelled all flights from Heathrow and Gatwick airports because of an IT outage, which it blamed on a power supply problem. But, at the end of the day, if an outage occurs and impacts business, then there is also an issue with the Disaster Recovery Plan for British Airways.

From a Security Architecture point of view, it’s important to always include DR in the design that you are putting together. Now, it may be that the business decided that they weren’t worried about DR or maybe they didn’t want to spend the extra money. In that case, the Security Architect needs to ensure the business understands the impact if an outage occurs. In this case, the Risk Impact Assessment would have shown an impact to the reputation of BA as well as to the financial health since I’m sure the airline will need to reimburse their customers in some way.

These are the first 3 stories that I found on Associated Press’s (AP) news feed and, in each case, you have situations where considering the C.I.A of a solution would have dealt with potential issues moving forward. So, in the future, if someone says that a Security Architect isn’t needed in a design, just pull out a few stories from the news and ask them how they would have dealt with them.

I was thinking this morning of all the technologies that are specific to security (Firewalls, IPS, AV, SIEMs, etc.) and, after a little, I realized that there weren’t too many. I thought that simply because there were a number of technologies that I kept having to say “No, that’s not specific to security”. So I thought I’d make a list just as an abject lesson in how security permeates everything.

To that end, here are the technologies that I think aren’t specific to Security but are so very important for security.

VLANs/VRFs/VPN – At the network layer, VPN, VLANs, and VRFs allow you to segment traffic. They were originally meant to speed up communication between different servers and computers by logically grouping them together but, at the end of the day, they also allow you to isolate them as well.

Asset Management – Different people will use different terms for these technologies but, at the end of the day, if you don’t know what assets you have, how can you secure them. Having an Asset Management systems is hugely important to the security of your organization.

Patch Management – There are numerous patch management solutions that an Enterprise can use and it’s typically to deal with any software updates that your equipment will have. But security patches are part of all that so this makes it’s extremely important to improving the security posture of your organization. Can you say WannaCry?

Network Zoning – this isn’t a technology as much as it is a concept. We put in Test/Dev, QA, Production environments so that any changes we make don’t impact the already existing Production environment. Isn’t that also a security imperative?

Group Policy Objects (GPO) – GPO is a concept that is used for controlling the activities within a Domain. It has all sorts of impacts but one of it’s greatest is specifying security activities.

Proxys – You will probably say that a Proxy Server is a security tool but I would have to disagree with you. Remember, Proxys were originally created because there was the foresight that IP address spaces were running out. So Proxies allowed for the translation of Public IP address spaces to Private address spaces. Now? We use that to allow for “hiding” of assets inside the organization.

Unit Testing/Integration Testing – Whenever you create an application, you have to test the individual components. But that testing often will find security flaws as well. It’s not Black Box or White Box testing, but at the end of the day, any testing is better than nothing.

Corporate Policies – Most Enterprises have Policies and those policies can and will drive security practices.

Workflow solutions – Originally, Provisioning and Workflow solutions were separate. But there was such a correlation between identity provisioning and the workflows that kicked that off that a lot of workflow solutions are now integrated with provisioning solutions.

HR Solutions – Like Asset Management solutions, if you don’t know WHO should be in your organization, how can you provision them or allow access. HR Solutions are extremely important to security.

What have I missed? What other technologies are used that are important to security? Let me know ’cause it’s an interesting conversation.

The US Department of Homeland Security announced a vulnerability that they think can be leveraged the same way as the WannaCry attack. The vulnerability was found in Samba which, if you are not aware of what Samba is, is a networking protocol that can be used for File and Print Sharing (amongst other things).

An important thing to understand about Samba is that it runs on Linux and Unix variants, of which the Mac OS is one. Most people aren’t aware that the Mac OS is a variation of Unix, which is one of the reasons why it’s not nearly as vulnerable as Windows machines.

So, when it comes to being leveraged like the WannaCry attack, it’s primarily Server and Network based equipment that are vulnerable and need to be patched.

Or is it?

I did a quick look up at NetMarketshare to see what the percentage of Operating Systems were in place in the world and, after Windows 7/10/XP/8.1 , the MacOS v10.12 comes in with a 3.21% market share. That’s huge. And that doesn’t add in the other versions of MacOS.

Now, if you remember the purpose of the WannaCry attack, it was to Greenmail organizations into paying a nominal amount for unlocking the computer. But the thing to remember about organizations is that they have the resources to patch and, potentially, respond to these types if incidents. But what about MacOS owners? Who are they?

They’re primarily home owners.

So what do you want to bet that the next attack won’t be against an individual organization but against the home owner that may be able to pay something small like, oh say, $20. That, as a lawyer friend of mine said, is a great business model.

We, as security professionals and architects, tend to only view issues in terms of Enterprises. That’s where we get paid and where we can implement the fancy security solutions. But the shear volume of Operating Systems are owned by Home Owners. And, if I was a “Business Model” focused person aware of the new vulnerability, I’d be looking for the economies of scale.

Tell all your friends and family to patch up their MacOS machines. Unless they want to pay for the greenmail and the visit to the local Geek Shop.

Dark Reading published a news article yesterday titled “Data Breach, Vulnerability Data on Track to Set New Records in 2017”. The article cites a report from Risk Based Security that shows that vulnerabilities totaled 4837 in Q1 this year which is 29.2% higher than those found in 2016.

Now, to be clear, I don’t have the report to go over the details and understand what exactly is being tracked. There are some obvious questions such as:

Are these full Applications or does that include Mobile Apps? Remember Mobile Apps are growing leaps and bounds and are much easier to publish and sell than full applications.

Where are they getting their vulnerability counts from? Are these confirmed vulnerabilities or just reported but unconfirmed vulnerabilities?

Are these vulnerabilities that are aligned with NIST’s National Vulnerability Database?

But, at the end of the day, if their measuring mechanisms are the same as from previous years, then we can say that there has been a growth in vulnerabilities. And that tells us something about Application Development. Simply – secure development activities are not being included in the publisher’s development practices.

We’ve seen this type of growth before. There was a major growth back in the late ’90s when the amount of workstation and server based application development exploded. The result was that large organizations started integrating security into their development lifecycles because their reputations were at risk. Remember how Microsoft was viewed at the time?

It’s a shame that people still haven’t learned to integrate secure development practices into their App Dev environment. The same report talking about the growth of vulnerabilities also talked about 3.4 Billion records being exposed. And those types of numbers get people fired.

What’s different this time around, though, is that governments are starting to put legislation into place to force improvements in security. It’s no longer a worry about loss of market share that organizations have to deal with. It’s now legal responsibilities. And I don’t think that AppDev environments understand that just yet. Probably because the legal aspects are relatively new.

At the end of the day, it doesn’t matter what we do at the infrastructure layer. We can put in security technologies such as IPS’ and SIEMs, Firewalls and Malware protection. But if the solutions being developed inherently have vulnerabilities, then they are going to be acted on. Just look at the WannaCry issue.

Until organizations require PROOF that an application has been tested for vulnerabilities and have been shown to go through a SDLC of some sort, this sort of thing will continue to happen. But the outside world is changing and taking advantage of these vulnerabilities is no longer the realm of Kiddie Scripters. And just accepting these things is not going to be acceptable much longer.

I was looking at the newsfeed this morning and I noticed one from Reuters – “Amid industry pushback, China offers changes to cyber rules: sources” – which talks about how China is implementing cybersecurity rules for protecting data that any company operating in China will need to adhere to. This includes any global company operating there.

Add to that the Presidential Executive Order Trump signed strengthen cyber security requirements, the new Canadian rules that came in 2015, and any number of other legislation and you can see what is happening very clearly.

Cyber Security is no longer allowed to be an “add-on” to an organization’s IT group. Traditionally, Security has been part of the CIO’s office and has just been viewed as just another department in the IT group. Security professionals have been espousing having the CISO at the Executive table for years but it’s never been put there. But now? I don’t think that’s going to last too much longer.

Some organizations have the person that owns security so far down the organizational chart that it’s not even a Director level position. And the lower down the organization, the lower the priority security typically is to the Executive level.

But with all this new legislation, you are going to see the CISO role rise to the C-level. How it will be implemented will depend on the organization but the CISO at the C-level will, at a minimum, result in a group that does audit and compliance associated with security.

The impact will definitely be felt by the Utilities in Canada. Because they are required to be in compliance with NERC, you are going to see the US legislation impact the Security Manager role. Trump’s Executive Order focuses on critical infrastructure and pushes the CISO role to the forefront. The CISO role will, as a result, rise to the executive level and be required to have a seat at the table.

This, though, will be a problem for one very simple reason – most security people don’t have a “business” slant to their view of the world. Remember, the role of business is to succeed in their vertical. But we all know the security people that don’t bend and take a militant view on security. So it’s going to be difficult to find the CISO that also understands they have to support the business.

The same problem has been faced by CIOs. Most CIOs focus on IT for IT’s sake. They forget that the technology is meant to support the business. As a result, CIOs were (for the longest time) put at the “kids table” for the Executives. Once they show that they add value to the business, they can join the big kids. The same is going to apply to the CISO role.

No, if you want to be at the Executive level, you are going to need to show that you understand business and are able to blend a more secure business environment with a manner that allows the business to thrive. The days of ignoring security are over but finding someone that actually understands security to be the organization’s CISO is going to be difficult.

We are now starting to see the emergence of Nation State cyber attacks. Why now and what to expect? Read on and find out…

Well, we are now starting to see evidence that North Korea had a hand in the Ransomware attack that occurred a few days ago. Both Symantec and Kaspersky Labs have found hints in the Ransomware code from previous malware that is known to have come from North Korea.

For those of you keeping track, I can think of 4 very conspicuous instances of Nation States attacking other Nation States using cyber technologies. The original, Stuxnet, was launched by the US against Iran to take down their nuclear centrifuges. Iran retaliated by attacking the US banks. All that was back in 2010 but things have slowly been escalating.

You had the Russian hacking of the DNC computers and intentionally impacting the US election. And we are all paying as a result. You’ve had the attack on Sony by North Korea in 2014 because of the Sony film “The Interview”.

And now you have what appears to be another attack based in the Ransomware events.

So, why are we seeing these attacks now and what can we expect moving forward? Well, I would suggest that the reason for the “why now” question can be answered by looking at history back when the Air Force came into being.

Remember, the original armed forces were the Army and the Navy. The Air Force was originally split between the two with the Army being responsible to air attacks over land and the Navy being responsible for air attacks over the sea. The Air Force as a military branch didn’t come into being until 1947 even though airplanes were being used all the way back in World War 1. So, basically, it became a formal structure some 44 years after the first powered flight.

Things don’t move quickly, as much as we would like to think that they do. As technology advances and information becomes more easily dispersed, the march of “progress” will speed up but it will never become instantaneous even though technology development itself happens fast. Just look at some of the technologies we use today. I remember the cell phone was envisioned in the original Star Trek TV series. How long did it take for cell networks to take off?

So if you look at the history of cyber attacks, you are probably right in line with when these attacks should start to occur. The first hacking instances started, when? Probably in the ’80s which is roughly 35 years ago. Seems like the timeframes are right.

So what can we expect? Well, let’s take a look at who has been active in this. We’ve seen the big powers such as the US, Russia, and China involved. But we’ve also seen the smaller powers involved such as Iran, Syria, and North Korea. Why? Look at how cost effective it is.

A small Nation State can’t afford a large military presence to compete with the US or China. But cyber? Hell, Cyber is something that just involves smart Techies. And there are a lot of those. So it becomes a simple Supply/Demand equation. And with small Nation States able to get involved, that means there will be a whole lot more of these attacks simply because of the sheer volume of Nation States that can do them.

If there are only two countries that can launch Nuclear attacks, they can end up talking and negotiating things out. But the cyber situation looks more like the United Nations than a bilateral negotiation. And how well is the UN working?

I don’t think we’ll see a whole lot of very specifically targeted attacks by Nation States on specific companies unless those companies will impact a Nation as a whole. While the Russian cyber attack on the DNC was against one organization, the goal was to impact a whole country. The exception to that is the Sony attack but that felt more “personal” than Nation vs. Nation.

So, for your planning, look to see how you would be impacted by a large scale “attack”. How would you deal with your communication network going down? How would you deal with your transportation mechanisms not able to deliver because traffic patterns are disrupted? How would you deal with your stocks being disrupted by the Stock Market being attacked?

These are indirect issues that you need to consider. Unless you are a critical infrastructure organization, you need to look at the “indirect” consequences rather than a direct attack.

I receive a RSS feed from DarkReading on their news and they had an update from a Vulnerability Review made available by Flexera. In the report, the percentage of unpatched Windows operating systems in the US rose to 9.8%. They didn’t rise BY 9.8% – 9.8% of Windows machines AREN’T patched!

OMG people! I’m sorry, but you take that stat and then add in all the issues around Ransomware and you really have to give your head a shake. The single best way to make sure that you don’t get affected by malware of any sort is to patch.

Let’s face it, patching isn’t sexy. It isn’t a new technology that you can add that will solve some imaginary problem. It’s operational and it’s process based. And, because it’s process based, it’s dependent on people doing their jobs.

Now, I’m wondering if that’s part of the problem. I was talking with a CISO yesterday and she was saying that her organization was having to do more and more with fewer and fewer people. When you start to add tasks to people, you start to see things slip.

It’s the inevitable process of trying to get the minimal number of people involved in doing things and maximizing profits. Yes, I know – that’s the goal of doing business, to maximize profits. But there is a shortsightedness to this. If you cut to the bone and then begin to expose vulnerabilities, at some point you are going to have to pay for those decisions by having to mitigate the issues that are taken advantage of.

Look, every decision has it’s consequence. If you decide to patch properly, you are going to have to increase people involved in process. And that has a cost. If you decide to “bundle” patching over a longer period of time, then you have less people cost but you increase risk of an issue arising. If you are okay with that increased risk and the cost to deal with the risk if/when it actually occurs, then you have made an informed decision. But there’s a balancing act that’s involved.

But you can’t all of a sudden start complaining about your organization being hit by something like Ransomware. Ransomware’s success is because of known vulnerability being exploited. And that vulnerability could have been mitigated by patching. Plain and simple.

The other aspect to all this isn’t a security issue. Patching is also a technology support issue. Remember that patches are for other operational risks, not just security risks. If a solution stops working because of an issue that could have been patched, that’s more of an “unintentional” risk that needs to be dealt with. The difference between an Operational Risk and a Security Risk?

The intention to actually take advantage of it.

So make a conscious decision on patching. Make a decision for operational reasons. Make a decision for security reasons. Just make a decision. But if you decide not to patch, then accept the result if something does happen.

It’s been an interesting morning, talking about security and outsourcing with a number of different people. And, because of these conversations, I’ve had to consolidate my thoughts on security in outsourcing.

It’s important, first of all, to remember what Outsourcing is. Alot of organizations think Outsourcing is the management of boxes. It’s not – that is managed services. For Security, that becomes Managed Security Services Providers (MSSPs). When you talk about Outsourcing, you at talking about taking on all 3 components of a solution – People, Processes, AND Technology.

When you talk about security in outsourcing, you end up talking about three layers; outsourcing that includes a security component, outsourcing the management of security technologies, and the outsourcing of the Security organization. All different versions of delivering security to customers. So let me talk about the different layers.

Outsourcing that includes a security component – When you outsource some aspect of your organization, you have to include the security components of those aspects. Remember, security isn’t a stand alone component but something that is integrated into solutions. For example, if you are outsourcing the management of Servers, how can you ensure that new servers implemented are done so without any vulnerabilities? You have to add a level of security governance to the offering just to provide that level of assurance to your customers.

Outsourcing Security technology management – this falls into the MSSP view on delivering outsourcing. This is where you are managing things like Firewalls, Anti-Virus, and IPS’ for your customers. But there is still a process component where you have to integrate alerts and reporting back to the customer. Plus, again, you have the internal governance that ensures that the activities associated with managing the security technologies are being done properly.

Outsourcing of the Security Organization – this is true outsourcing of security. This is when the technology, processes and people are all outsourced to an organization. But, in this case, your processes are now much more transparent to the customer. The processes are being paid for in order to ensure that the customer is getting process integration into the overall customer processes.

So, even if you aren’t outsourcing your entire security organization, you are trusting that your Outsourcer has some responsibilities for your security governance. The questions then become the following:

what are your expectations for security governance with your organization?

What are the legal obligations that you have documented in your contractual agreement with your Outsourcer?

There is a level of trust that you end up having to provide to your Outsourcer. You are giving the proverbial “keys to the kingdom” to them so you are also trusting that they will be implementing security processes as well. But, at the end of the day, security isn’t about just trust. It’s about “Trust but Verify”.